Your cookie settings

We use cookies. By clicking "Submit Preferences" you are consenting to the use of cookies and understand that you can update your cookie preferences at any time. For more information about which cookies we use and how to change your preferences please visit our Privacy Policy page.

Some cookies are necessary for the usual function of our website. These are destroyed when you close your browser and do not store any of your details. Please note that choosing this option will result in you seeing this message each time you visit a new page as we are not storing any preferences for you.

In order for us to remember the preferences you select today and ensure that you don’t see this message again, we need to store a cookie to remember you. This is the only tracking cookie we will store if you select this option.

By selecting ‘all cookies’, you are consenting to the use of cookies and understand that you can update your cookie preferences at any time. For more information about which cookies we use and how to change your preferences please visit our Privacy Policy page.

Host Guardian Services

Host Guardian Services

Every Virtualisation platform, (whether VMware, Hyper-V Xen or KVM) is susceptible to Virtual Machines (VMs) being attacked or seized.

Protect your Virtual Machines from being compromised by utilising Windows 2016 Admin-trusted or TPM –Trusted attestation with Bitlocker encryption. The VM is to only run on designated authorised infrastructure and protected from compromised administrators.

Hyper-V VM disks and state are encrypted so only VM or tenant administrators can access them.

Is it right for me?

With Virtual Machines being more commonplace today, it is easier to live migrate, backup and replicate these workloads, but this also means that it is easier to seize or modify entire workloads by copying onto a USB or Network drive.

In order to prevent compromised admin accounts, storage or network attacks, local admins gaining access or unauthorised Hosts running workloads you need more than VM encryption; alone, it is not sufficient to protect against these scenarios.

Host Guardian Services (HGS) prevents anyone but authorised VM administrators from accessing data (including restricting VM console access to just authorised sessions), attesting legitimacy of Hyper-V host with certificate of health issued to the host required to start and run VM’s. This prevents scenarios where a VM can be copied off, allowing the attacker to compromise confidential data.

A shielded Virtual Machine protects against inspection, theft, and tampering from both malware and data centre administrators

Virtual machines (VMs) shielded on Hyper-V hosts, with encrypted VM files to prevent running in an un-authorised system

Why choose The Bunker?

The Bunker have wide experience in deployments of HGS with Hyper-V and can help plan and deploy a platform to run HGS and Shielded VM’s for you to satisfy your security needs and to give you peace of mind that your data is safe, even at rest.

The Bunker can host and run your environment and you can decide who can have administrative access to the VM.

This additional layer of security allows you to run your Private Cloud environments to host your workloads using the latest Microsoft technology, providing you and your customers with the upmost confidence in the confidentiality of your data.

How Host Guardian Services work

Guarded Fabric uses 4 components to ensure Hyper-V hosts are healthy. Multiple components including hardware security features are used to measure the code and state from the moment the machine is powered on:-

Code Integrity uses Virtualization-based Security to ensure that only allowed binaries can be run on the system from the moment the machine is started.

Virtualization-based Security (VBS) uses hardware security technology to create an area that is isolated from kernel and applications preventing external attacks.

The Trusted Platform Module (TPM) is an international standard for a secure crypto-processor. Windows Server 2016 Hyper-V enables a virtual TPM device for VMs so that they can take advantage of features such as BitLocker. The virtual TPM does not require a physical TPM to be present.

Host Guardian Service is used to implement a Guarded fabric by providing health attestation for the Hyper-V hosts and key protection for the key material that is required to run Shielded VMs.